7-point Security Checklist for Managing PLCs Through VPN

August 17, 2021
Richard Theron

If you’re responsible for interfacing your plant’s third-party devices, if you’re new to thinking about connectivity and cybersecurity, or if security hasn’t been on your mind lately, it’s probably time for a checkup.

Unlike a dental checkup, this one doesn’t have to be something to fear or dread. It is, however, just as important because a security checkup can ensure the good health and protection of your systems.

Doing security checkups is something we’re experts at. It’s not just what we do, it’s how we think when developing our MSA FieldServer solutions.

Of course, we can’t possibly share everything we know about security here, but we can share our finely tuned 7-point checklist so you can use it for your own DIY checkup.

Keep in mind that this checklist is to help ensure a stable and secure connection to your PLCs (programmable logic controllers). So, please see your dentist for that other kind of checkup.

Before You Start

In our world, we toss around acronyms like they’re hot-buttered popcorn. Just to be sure we’re all on the same page, let’s first clarify a few important definitions.

VPN stands for Virtual Private Network. This network is specifically designed to limit public access by leveraging encryption technologies. Although a VPN can enable anytime, anywhere remote access to devices for authorized users, it also works to keep data hidden from unauthorized users.

PLC or Programmable Logic Controller is a type of computer that makes logic-based decisions for automated systems based on various inputs and outputs. In the United States, Allen Bradley is among the most common PLC used for automation.

The Checklist

Now onto the checklist. We encourage you to get into the habit of scheduling this routine security checkup. With a little bit of time and some consistent effort, you could save yourself and your plant from a catastrophic breach.

Does your VPN Cloud meet the latest cybersecurity standards?

Check the cybersecurity certificates and see if they are up to date. SSL (Secure Socket Layer) and TLS (Transport Layer Security) certificates help support a secure and trustworthy connection. If the certificates are outdated, invalid, or missing, you’re lacking a critical protection to keep unauthorized users out.

Do you have strict password policies in place for all three components: computer, VPN Cloud, and remote gateway?

Cyberhackers love to attack devices and often will target via remote management – even with SSL VPN enabled. Strict passwords add another layer of protection to help stop cyberthieves from accessing devices and bypassing authentication so they can manipulate device configurations. Remind authorized users to change their passwords frequently, as well as use a strong, hard-to-identify passwords (no telephone numbers, birthdates, etc.). Having a strong password policy – and enforcing it – can go a long way toward preventing attacks.

Is your VPN connection open longer than necessary or all the time?

This is one of the biggest no-nos. Why? Because a VPN connection is essentially an open door to smart and savvy cyberhackers. Here are some best practices you can implement starting today:

(a) Discourage all-day connection, even by authorized users.

(b) Set and enforce a policy of VPN connection only as necessary, such as when retrieving data or downloading files.

Is your VPN access limited to valid business reasons only?

Employees come and go, so continuously monitor and update your authorized users list and access. In fact, only select individuals should have full and total access to the network. In addition, review your policies to ensure that you’ve adequately addressed who can access the system, as well as when and how often. Clearly define all usage restrictions in your cybersecurity policies.

Is every computer that has VPN access equipped with the latest security updates?

Run a check on any computer that’s connected to the VPN. Again, this is another potential entry point that must be secured. Make sure operating systems, security certificates, firmware, anti-virus, and firewall protections are up to date. Remember: If a computer is connected to the VPN, it must be secured.

Do you avoid wireless networks?

Wireless networks should be a 2nd option while accessing the VPN connection since they, too, can open your connection to attack. Establish clear policies about internet usage, including the “who,” “what,” “when,” and “where” of wireless connectivity. Also ensure that your WAP (wireless access point) has the latest security policies in place.

Are you using a gateway with a LAN (local area network) and WAN (wide area network) port and a firewall at remote sites?

If you’re not, you should, if you want the strongest possible protection for VPN access. Our FieldServer portfolio of products does this for you. Not only do FieldServer solutions integrate new and legacy devices, they also help ensure robust security. For example, our advanced OpenVPN interface enables an encrypted and authentical secure tunnel from any connected computer or device. It acts as a secure proxy, allowing access to your devices while also protecting both ends of the tunnel – and that helps keep your data and systems secure.

The Next Step

Once you’ve gone through this 7-point checklist and identified areas for improvement, now it’s time to act.

Securing your connected devices is vital to protecting your systems from attack. Start by prioritizing the high-risk items first, then working your way through any deficiencies until you’ve shored up every potential weakness.

Depending on where your vulnerabilities are, you may have to move this task to the top of your to-do list. If you’re short on time or need expert assistance, contact your local MSA representative.

Richard Theron
Richard Theron is the product line manager for FieldServer at MSA, where he works intimately with companies in the building automation, industrial automation, energy management and life safety markets to help them cloud-enable their equipment.

Read This Next

Beating the Clock: How to Speed Up (and Simplify) Automation Gateway Configuration

Sometimes, interoperability can seem too good to be true. All you have to do is use a protocol gateway to connect all your devices, networks, and systems, and, voila! ✔...
Keep reading